Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.
CVE-2017-5641
This critical-severity CVE scores 9.8 under NVD CVSS v3. EPSS exploit probability: 48.5%, top 2% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 9.8
- EG Score
- 9.8(medium)
- EPSS
- 97.3%
- KEV
- Not listed
Published
December 28, 2017
Last Modified
May 13, 2026
Advisory Details (8)
Auto-updated May 18, 2026ZDI-22-507 | Zero Day Initiative
https://www.zerodayinitiative.com/advisories/ZDI-22-507/ZDI-22-506 | Zero Day Initiative
https://www.zerodayinitiative.com/advisories/ZDI-22-506/VU#307983 - Action Message Format (AMF3) Java implementations are vulnerable to insecure deserialization and XML external entities references
https://www.kb.cert.org/vuls/id/307983[FLEX-35290] Deserialization of Untrusted Data via Externalizable.readExternal - ASF Jira
https://issues.apache.org/jira/browse/FLEX-35290Affected Packages
(2 across 1 ecosystem)
Maven(2)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.apache.flex.blazeds:flex-messaging-core | 4.7.0, 4.7.1, 4.7.2 | 4.7.3 | — |
| org.apache.flex.blazeds:flex-messaging-remoting | 4.7.0, 4.7.1, 4.7.2 | 4.7.3 | — |
Data Freshness Timeline
(refreshed 9× in last 7d / 34× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-07 13:42 UTCEPSS rescore
- 2026-07-06 02:20 UTCEPSS rescore
- 2026-07-06 02:20 UTCEPSS rescore
- 2026-07-05 02:27 UTCEPSS rescore
- 2026-07-04 06:28 UTCEPSS rescore
- 2026-07-02 16:54 UTCEPSS rescore
- 2026-07-01 15:02 UTCEPSS rescore
- 2026-06-30 23:19 UTCEPSS rescore
- 2026-06-30 23:19 UTCEPSS rescore
- 2026-06-29 14:03 UTCEPSS rescore
- 2026-06-28 14:04 UTCEPSS rescore
- 2026-06-28 04:53 UTCEPSS rescore
- 2026-06-27 03:06 UTCEPSS rescore
- 2026-06-27 03:05 UTCEPSS rescore
- 2026-06-25 13:47 UTCEPSS rescore
- 2026-06-24 14:02 UTCEPSS rescore
- 2026-06-24 14:02 UTCEPSS rescore
- 2026-06-23 21:30 UTCEPSS rescore
- 2026-06-22 14:23 UTCEPSS rescore
- 2026-06-22 14:23 UTCEPSS rescore
- 2026-06-21 01:57 UTCEPSS rescore
- 2026-06-21 01:57 UTCEPSS rescore
- 2026-06-18 17:50 UTCEPSS rescore
- 2026-06-17 17:50 UTCEPSS rescore
- 2026-06-16 17:50 UTCEPSS rescore
Show 48 moreShow fewer
- 2026-06-16 17:50 UTCEPSS rescore
- 2026-06-15 17:45 UTCEPSS rescore
- 2026-06-14 23:14 UTCEPSS rescore
- 2026-06-13 22:57 UTCEPSS rescore
- 2026-06-12 23:09 UTCEPSS rescore
- 2026-06-10 22:15 UTCEPSS rescore
- 2026-06-10 13:19 UTCEPSS rescore
- 2026-06-08 14:14 UTCEPSS rescore
- 2026-06-08 14:14 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
- 2026-06-05 06:08 UTCEPSS rescore
- 2026-06-05 06:08 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-29 13:41 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-27 13:38 UTCEPSS rescore
- 2026-05-27 13:38 UTCEPSS rescore
- 2026-05-26 13:42 UTCEPSS rescore
- 2026-05-26 13:42 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-23 00:10 UTCEG score recompute
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-21 22:40 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 07:40 UTCEG score recompute
- 2026-05-20 03:39 UTCEG score recompute
- 2026-05-19 23:38 UTCEG score recompute
- 2026-05-19 19:37 UTCEG score recompute
- 2026-05-19 15:36 UTCEG score recompute
- 2026-05-19 11:34 UTCEG score recompute
- 2026-05-19 07:32 UTCEG score recompute
- 2026-05-19 03:30 UTCEG score recompute
- 2026-05-18 23:30 UTCEG score recompute
- 2026-05-18 21:30 UTCEPSS rescore
Frequently asked(5)
What is CVE-2017-5641?
When was CVE-2017-5641 disclosed?
Is CVE-2017-5641 actively exploited?
What is the CVSS score of CVE-2017-5641?
How do I remediate CVE-2017-5641?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2017-5641
Is Your Infrastructure Affected by CVE-2017-5641?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.